From 45f566c60edc140974c9a38b6cf25f7f837c13db Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 20 Aug 2023 20:07:08 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	fbdev-mmp-fix-value-check-in-mmphw_probe.patch
	powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch
---
 ...v-mmp-fix-value-check-in-mmphw_probe.patch | 34 ++++++++++
 ...er-copy-to-flash-block-cache-objects.patch | 68 +++++++++++++++++++
 queue-4.19/series                             |  2 +
 3 files changed, 104 insertions(+)
 create mode 100644 queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch
 create mode 100644 queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch

diff --git a/queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch b/queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch
new file mode 100644
index 00000000000..644b337ab85
--- /dev/null
+++ b/queue-4.19/fbdev-mmp-fix-value-check-in-mmphw_probe.patch
@@ -0,0 +1,34 @@
+From 0872b2c0abc0e84ac82472959c8e14e35277549c Mon Sep 17 00:00:00 2001
+From: Yuanjun Gong <ruc_gongyuanjun@163.com>
+Date: Fri, 28 Jul 2023 01:03:18 +0800
+Subject: fbdev: mmp: fix value check in mmphw_probe()
+
+From: Yuanjun Gong <ruc_gongyuanjun@163.com>
+
+commit 0872b2c0abc0e84ac82472959c8e14e35277549c upstream.
+
+in mmphw_probe(), check the return value of clk_prepare_enable()
+and return the error code if clk_prepare_enable() returns an
+unexpected value.
+
+Fixes: d63028c38905 ("video: mmp display controller support")
+Signed-off-by: Yuanjun Gong <ruc_gongyuanjun@163.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/mmp/hw/mmp_ctrl.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/mmp/hw/mmp_ctrl.c
++++ b/drivers/video/fbdev/mmp/hw/mmp_ctrl.c
+@@ -523,7 +523,9 @@ static int mmphw_probe(struct platform_d
+ 		ret = -ENOENT;
+ 		goto failed;
+ 	}
+-	clk_prepare_enable(ctrl->clk);
++	ret = clk_prepare_enable(ctrl->clk);
++	if (ret)
++		goto failed;
+ 
+ 	/* init global regs */
+ 	ctrl_set_default(ctrl);
diff --git a/queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch b/queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch
new file mode 100644
index 00000000000..71f268948fb
--- /dev/null
+++ b/queue-4.19/powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch
@@ -0,0 +1,68 @@
+From 4f3175979e62de3b929bfa54a0db4b87d36257a7 Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Thu, 10 Aug 2023 22:37:55 -0500
+Subject: powerpc/rtas_flash: allow user copy to flash block cache objects
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+commit 4f3175979e62de3b929bfa54a0db4b87d36257a7 upstream.
+
+With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the
+/proc/powerpc/rtas/firmware_update interface to prepare a system
+firmware update yields a BUG():
+
+  kernel BUG at mm/usercopy.c:102!
+  Oops: Exception in kernel mode, sig: 5 [#1]
+  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+  Modules linked in:
+  CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2
+  Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries
+  NIP:  c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000
+  REGS: c0000000148c76a0 TRAP: 0700   Not tainted  (6.5.0-rc3+)
+  MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 24002242  XER: 0000000c
+  CFAR: c0000000001fbd34 IRQMASK: 0
+  [ ... GPRs omitted ... ]
+  NIP usercopy_abort+0xa0/0xb0
+  LR  usercopy_abort+0x9c/0xb0
+  Call Trace:
+    usercopy_abort+0x9c/0xb0 (unreliable)
+    __check_heap_object+0x1b4/0x1d0
+    __check_object_size+0x2d0/0x380
+    rtas_flash_write+0xe4/0x250
+    proc_reg_write+0xfc/0x160
+    vfs_write+0xfc/0x4e0
+    ksys_write+0x90/0x160
+    system_call_exception+0x178/0x320
+    system_call_common+0x160/0x2c4
+
+The blocks of the firmware image are copied directly from user memory
+to objects allocated from flash_block_cache, so flash_block_cache must
+be created using kmem_cache_create_usercopy() to mark it safe for user
+access.
+
+Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+[mpe: Trim and indent oops]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230810-rtas-flash-vs-hardened-usercopy-v2-1-dcf63793a938@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/rtas_flash.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/rtas_flash.c
++++ b/arch/powerpc/kernel/rtas_flash.c
+@@ -714,9 +714,9 @@ static int __init rtas_flash_init(void)
+ 	if (!rtas_validate_flash_data.buf)
+ 		return -ENOMEM;
+ 
+-	flash_block_cache = kmem_cache_create("rtas_flash_cache",
+-					      RTAS_BLK_SIZE, RTAS_BLK_SIZE, 0,
+-					      NULL);
++	flash_block_cache = kmem_cache_create_usercopy("rtas_flash_cache",
++						       RTAS_BLK_SIZE, RTAS_BLK_SIZE,
++						       0, 0, RTAS_BLK_SIZE, NULL);
+ 	if (!flash_block_cache) {
+ 		printk(KERN_ERR "%s: failed to create block cache\n",
+ 				__func__);
diff --git a/queue-4.19/series b/queue-4.19/series
index 53bca8e16df..e046c8a22b2 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -54,3 +54,5 @@ nfsd-remove-incorrect-check-in-nfsd4_validate_statei.patch
 virtio-mmio-convert-to-devm_platform_ioremap_resourc.patch
 virtio-mmio-use-to_virtio_mmio_device-to-simply-code.patch
 virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
+fbdev-mmp-fix-value-check-in-mmphw_probe.patch
+powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch
-- 
2.47.3